First of all, my apologies for going against the rules of this Forum and opening a second topic, but

1) I have uncovered a new important fact that changes the nature of the infection
2) In my first post ( http://www.geekstogo.com/forum/braviax-exe...ml#topicoptions ) I have overzealously replied to my post five times with log files as requested in a related topic by another user and only then have I noticed that this should not be done because only unreplied topics are being handled.
I apologize - but this is following two sleepless nights struggling with the infections.

To get to the point, the infected computer runs Win XP Home SP3. Looking at the files I have become suspicious of the Windows\system32\drivers\ntfs.sys file because it is dated 21/08/2009 and 630kB rather than 574kB as on my other system and Windows XP CD. My suspicions grew as I discovered that this file is locked for opening (even in Safe mode) and won't allow copying.

What I did is booted the suspect computer to Linux Knoppix, was able to go online and submit the suspect file to Kaspersky file scan (www.kaspersky.com/scanforvirus). Sure enough, the report says:

ntfs.sys - infected by Virus.Win32.Protector.c

Previously I had believed it was only the braviax.exe file - the other details with the requisite logs are available in my other topic:
http://www.geekstogo.com/forum/braviax-exe...ml#topicoptions

Of course, I will happily repost the logs here, if requested.

I am waiting (and begging) for help.

--
Robert

This post has been edited by rlew: Aug 25 2009, 01:37 AM

OK, three days has passed and I really needed to get the computer up and running, so I've had to take action myself and want to report on this here.

I downloaded an ISO image for a Dr. Web Linux distribution with an AV scanner and booted off this image. Here are the infections it reported, in a nutshell:

Temp Internet Files/...Install[1].exe - 2 counts
C:\Windows\pss\ikowin32.exe Startup
C:\Windows\system32\drivers\ntfs.sys
C:\Windows\system32\dllcache\ntfs.sys
Two false positives

It offered to repair (!) the ntfs.sys file, and to my surprise it did (don't know if it had one in store somehow, found a clean copy in the /i386 directory, or was able to remove the virus code from the binary file. Whichever it was, I was impressed. Of course, at this point it was possible to replace the ntfs.sys file under Linux with NTFS support.

So that went very well. The scanner wasn't as successful with rogue registry entries, and these I just cleaned by hand having booted into Safe mode, and again into the default user (though this time traces were only found in the MUIcache section, probably perfectly harmless.

After this, all scans have come out clean and the computer has behaved well.

Thank you.

Glad to hear you've figured this out I'll close it up, shoot me a PM if you have other problem and need this reopened or just start a new topic .

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.